When the FSMA cryptoasset regime starts — expected 25 October 2027, with applications from 30 September 2026 — UK crypto firms come within the Senior Managers and Certification Regime for the first time. An entire sector that has never put an individual through SMF approval will need approved compliance oversight (SMF16) and money laundering reporting (SMF17) functions. This guide explains what the regime requires, how the two functions work in a crypto context, whether to combine or split them, and how to hire for them.
Of all the changes the new cryptoasset regime brings, the Senior Managers and Certification Regime is the one with the least precedent inside the sector. Registered cryptoasset firms have never been subject to SMCR: registration under the Money Laundering Regulations tests the firm’s financial crime framework and its MLRO’s fitness, but it creates no approved persons, no Statements of Responsibilities, no certification population and no conduct rules. Authorisation under FSMA changes all of that at once. From the regime start, a crypto firm’s senior managers hold their roles by individual FCA approval, carry personal regulatory accountability for their areas, and can face enforcement personally where things go wrong on their watch.
For most firms, the two functions that matter first — and the two that determine authorisation outcomes — are SMF16 (Compliance Oversight) and SMF17 (Money Laundering Reporting Officer). This guide covers both in the crypto context, and the hiring decisions they force.
SMCR in brief — and what it means for a first-time sector
The Senior Managers and Certification Regime has three components. The Senior Managers Regime requires individuals performing designated Senior Management Functions to be approved by the FCA before taking up the role, each with a Statement of Responsibilities documenting what they are personally accountable for. The Certification Regime requires firms themselves to certify, at least annually, that staff in roles capable of significant harm are fit and proper. The Conduct Rules apply enforceable standards of behaviour to almost all staff, with additional rules for senior managers.
Two features deserve emphasis for a sector meeting the regime for the first time. The first is the duty of responsibility: where a firm breaches a regulatory requirement, the senior manager responsible for that area can be held personally accountable if they failed to take reasonable steps to prevent the breach. Accountability under SMCR is not symbolic — it is enforceable against the individual, which is why candidates weigh these roles carefully and price them accordingly. The second is regulatory references: firms must request references covering the past six years from a candidate’s previous employers, in a prescribed form that includes conduct breaches and disciplinary findings. Hiring timelines must accommodate this — and crypto-native candidates whose employment history sits outside regulated firms will have thinner reference trails, which the FCA assessment takes into account.
Our existing coverage of the regime for regulated firms generally — the SMCR compliance recruitment page and the FCA-regulated firms hub — provides the general framework. The remainder of this guide is crypto-specific.
SMF16: Compliance Oversight in a cryptoasset firm
SMF16 is the function with responsibility for the firm’s compliance oversight arrangements under SYSC — in practice, the Head of Compliance or Chief Compliance Officer. In a cryptoasset firm the function’s workload divides into three phases.
The authorisation phase
Before the regime even starts, the SMF16 candidate is the natural owner of the FSMA application: the regulatory business plan, the perimeter analysis mapping the firm’s activities (exchange, dealing, custody, staking, issuance) to the new permissions, the policy and procedures suite, and the working relationship with the FCA case officer. The FCA’s long-standing expectation — stated explicitly for MLROs in the registration regime and applied in practice across authorisation gateways — is that the individuals who will hold the functions shape the application. An application inherited from consultants by a later hire is visibly weaker at interview. This is the single strongest argument for making the SMF16 hire early: the person approved to oversee compliance should be the person who designed the compliance framework the FCA assessed. Our FSMA authorisation guide covers the application in full.
The build phase
Post-authorisation, SMF16 owns the compliance monitoring programme, regulatory change management (acute in a sector whose rulebook is being written in real time through FCA policy statements), conduct standards, financial promotions compliance for cryptoassets — one of the FCA’s most active enforcement areas — and the certification and conduct rules machinery of SMCR itself, which the firm has never operated before.
The crypto-specific dimension
The strongest SMF16 candidates for crypto firms combine regulated-firm compliance leadership (payments, e-money, investment firms) with genuine digital asset fluency: the ability to assess smart contract and custody risk, to work with blockchain analytics outputs, and to translate on-chain reality into FCA-legible controls. Pure crypto-native compliance leads often lack the FCA process depth; pure traditional-finance candidates often lack the technical credibility. The pool that holds both is small and contested — the central fact of this hiring market.
SMF17: the MLRO under full SMCR
The MLRO function is the one part of SMCR the crypto sector has partially met before: every registered firm already has a nominated officer assessed by the FCA under the MLR regime. SMF17 approval formalises and extends that position. The individual undergoes the full approved persons process — application via the FCA’s Connect system, regulatory references, fitness and propriety assessment, and interview where the FCA considers it necessary — and thereafter holds personal accountability under the duty of responsibility for the firm’s compliance with financial crime requirements in their area.
The substance of the role — the business-wide risk assessment, CDD and transaction monitoring across fiat and on-chain activity, SAR management under the Proceeds of Crime Act, sanctions screening, training and board reporting — is covered in depth in our dedicated crypto MLRO guide. Three points specific to the SMCR transition are worth adding here.
First, continuity is an asset: an MLRO already assessed under the registration regime carries a helpful FCA history into SMF17 approval, and the FCA’s warnings about mid-application MLRO changes apply with equal force at the authorisation gateway. Firms planning the transition should plan to keep their MLRO through it. Second, the accountability step-up changes the employment conversation: candidates moving from nominated officer to SMF17 status commonly seek revised terms — compensation, indemnities, directors’ and officers’ cover, and clarity of resource commitments — reflecting the personal enforcement exposure. Third, the FCA’s scrutiny of non-UK-based MLROs continues into the new regime; international groups should plan on a UK-based SMF17 embedded in the UK entity.
Combine or split: one individual or two?
The most common structural question we field from crypto firms preparing for the regime. The FCA accepts SMF16 and SMF17 held by one individual — a widespread arrangement at smaller regulated firms across financial services — provided the person genuinely has the skills and capacity for both. The right answer is driven by scale and risk profile rather than preference.
The combined model suits firms at authorisation stage and early scale: one senior hire, one approval process, one accountable owner of the whole regulatory agenda, and a package the firm can afford. Its limits arrive with volume. An exchange or issuer with meaningful retail flow generates screening and SAR workloads that crowd out the compliance oversight agenda; when the same individual is triaging alerts and rewriting the monitoring plan, both functions degrade. The FCA probes capacity directly at approval interviews — a combined candidate should expect to explain, credibly, how the time divides.
The split model — a Head of Compliance holding SMF16 and a dedicated MLRO holding SMF17 — is the destination structure for scaled firms, and the FCA’s expectation for businesses whose financial crime workload is a full-time job in itself. The transition point is usually visible in the metrics: sustained internal SAR volume, alert backlogs, or a supervisory observation about resourcing. Many firms sequence deliberately: a combined SMF16/17 hire through authorisation, then a dedicated SMF17 or deputy MLRO within the first year of the new regime, with the original hire retaining SMF16.
A third pattern worth naming: the fractional bridge. Pre-revenue firms — sandbox participants, infrastructure builders, issuers ahead of launch — increasingly engage a fractional SMF16/17-calibre individual for the application phase, converting to permanent as the business scales. The FCA accepts fractional arrangements where the function is genuinely performed; our fractional MLRO service covers the model.
The hiring market: supply, price and process
The arithmetic of the transition is stark. Every authorised cryptoasset firm will need SMF16 and SMF17 coverage; the number of individuals who combine FCA approval history, compliance leadership experience and crypto competence is a fraction of the demand the 2026–2027 gateway will generate; and every firm is hiring against the same deadline. Payments and e-money firms lived through a smaller version of this during their own authorisation waves — salaries for approved compliance leaders stepped up sector-wide and never stepped back.
Current London benchmarks in our placement work: combined SMF16/17 roles at authorisation-stage crypto firms from around £120,000 to £200,000 plus equity; dedicated SMF17 at scaled firms £90,000–£180,000; SMF16/Head of Compliance at scaled firms £130,000–£220,000; interim day rates at a premium to payments-sector equivalents. Qualifications that carry weight include ICA diplomas in compliance and AML, ACAMS CAMS, and legal qualifications with financial crime practice; blockchain analytics certifications increasingly feature. Verification discipline matters: claimed approvals should be checked against the FCA Register, and titles can mislead — an “MLRO” at an unregulated or registration-only firm has never held SMF17, a distinction that decides whether a candidate is approvable on the FCA’s timeline or starting from scratch.
On process: allow three to six months from brief to start for permanent SMF-calibre hires (search, notice periods, regulatory references), plus the FCA’s approval determination after the regime application is in. Firms targeting the first authorisation window in autumn 2026 and hiring from mid-2026 onward are already on the critical path.
The approval process, step by step
For a sector that has never run one, the mechanics of an SMF approval are worth setting out plainly. The sequence for a cryptoasset firm naming SMF16/17 candidates in its authorisation application runs as follows.
Step one: the Statement of Responsibilities. Before anything is filed, the firm drafts each candidate’s SoR — the document recording exactly what the individual is personally accountable for. In a crypto firm this means being precise about where compliance oversight ends and financial crime begins, who owns financial promotions, who owns the custody control framework, and how responsibilities divide if functions are combined. Vague or overlapping SoRs generate case officer questions; gaps between them generate worse ones.
Step two: the candidate’s own file. The Form A (or equivalent within the authorisation pack) covering employment history, qualifications, directorships, and disclosure of anything adverse — regulatory, criminal, civil or financial. Candour is the operating rule: the FCA’s tolerance for disclosed-and-explained history is far higher than for discovered omissions, and its verification is thorough.
Step three: regulatory references. The firm requests prescribed-form references covering the past six years from previous employers, who are obliged to disclose conduct breaches and disciplinary findings. Crypto-native candidates whose history sits at unregulated firms will have thinner files — not disqualifying, but the FCA leans harder on interviews and other evidence where the reference trail is light. Reference gathering routinely takes weeks and belongs on the critical path, not the afterthought list.
Step four: assessment and interview. The FCA assesses honesty, integrity and reputation; competence and capability for the specific function; and financial soundness. Where it interviews — common for first-time SMF holders and business models it is still calibrating, which describes most of the crypto sector — the session tests the candidate on the application as filed, the firm’s risk profile, and their personal understanding of the accountability they are accepting.
Step five: approval and the ongoing regime. Approval takes effect with authorisation. Thereafter the firm must keep SoRs current, notify changes, run annual fitness and propriety reassessment through the certification machinery, and manage the handover documentation the regime expects when function-holders change.
Getting candidates through interview
The FCA interview deserves specific preparation, because strong practitioners can present badly without it. Three failure patterns dominate. Candidates who talk about their previous firm rather than this one — the FCA is approving them for this role at this business, and expects fluency in its specific model, flows and risks. Candidates who cannot articulate their own accountability — a crisp answer to “what happens to you personally if the financial crime framework fails” is, counterintuitively, reassuring, because it shows the individual understands the duty of responsibility they are accepting. And candidates who overstate resources — interviewers cross-check claimed headcount, tooling and budget against the application, and inflation is corrosive. The preparation that works: a full re-read of the application as submitted, a mock interview with someone who has been through or conducted these sessions, scenario rehearsal on the firm’s three highest-risk flows, and a straight briefing on any skeletons in the firm’s supervisory history so nothing lands as a surprise. On our SMF mandates we build this preparation into the placement as standard — an approved candidate is the deliverable, not a hired one.
SMF16/17 within the wider senior team
The compliance functions do not stand alone in an authorisation application; the FCA reads the senior team as a system, and weaknesses elsewhere undermine strong SMF16/17 hires. Three interfaces deserve design attention.
The SMF1 relationship. The chief executive holds the prescribed responsibilities that frame the whole regime, and the FCA tests whether the compliance functions can genuinely challenge the SMF1 — reporting lines, escalation rights and board access are probed at interview on both sides. For founder-led crypto firms this is the cultural adjustment the regime forces: the founder-CEO becomes an approved person whose relationship with compliance is itself a supervisory interest. Board-tier and SMF1 appointments sit with our sister brand Exec Capital, and on full senior-team builds we run the compliance and executive searches in step so the structure the FCA sees is coherent.
The finance interface. Case officers cross-read the compliance narrative against the financial projections — a business plan that promises conservative growth alongside projections that assume aggressive volume is a credibility problem for both authors. The SMF16 and the CFO should build their sections together; our crypto CFO regulatory guide covers the finance side of the same application.
The second line beneath the functions. An approved SMF17 with no analysts, or an SMF16 with no compliance associate, invites the resourcing question the FCA now asks routinely. The application should show the team beneath the function-holders — even where parts of it are fractional or planned against volume triggers — because the duty of responsibility makes under-resourcing a personal risk the strongest candidates will not accept. Candidates increasingly negotiate resourcing commitments into their terms, and firms should treat that as a sign of quality rather than difficulty.
The system view also answers a question firms often ask us: whether to hire the compliance functions or the executive team first. The practical answer is the compliance functions, marginally — because the FCA’s continuity expectations bind them to the application earliest — but with the SMF1 and board structure settled on paper before either search concludes, so every candidate is signing up to the same organisation the FCA will assess.
Frequently asked questions
When exactly do SMF16 and SMF17 approvals become required for crypto firms?
The functions come with FSMA authorisation. Applications open 30 September 2026 and the regime is expected to start 25 October 2027; senior manager approvals are processed as part of the authorisation application, so firms name and submit their SMF candidates with the application itself. Registered-only firms have no SMF obligations until they are authorised — but the individuals must be identified, hired and involved well before submission.
Can our founder hold SMF16 or SMF17?
Only if genuinely qualified. The FCA assesses competence for the specific function: a founder without compliance or financial crime background will not credibly satisfy the assessment, and naming an unqualified founder is a recognised application weakness. Founders more commonly hold SMF1 or SMF3, with specialist hires taking SMF16/17.
Does our existing registration-regime MLRO automatically become SMF17?
No — SMF17 requires its own approval application with regulatory references and a fresh fitness and propriety assessment. In practice an incumbent MLRO with a clean FCA history is well placed, and continuity is an advantage, but the approval is not automatic.
What does the Certification Regime mean for the rest of our staff?
Roles capable of significant harm — in crypto firms, typically senior financial crime analysts, key custody and treasury personnel, and material risk takers — fall to be certified as fit and proper by the firm annually. Building the certification machinery (role mapping, assessment records, conduct rules training) is part of the SMF16 build-phase workload, and it is new to the entire sector.
We are pre-launch — is a fractional SMF16/17 credible with the FCA?
Yes, where capacity is real: the FCA’s concern is that the function is genuinely performed, not the contractual model. Fractional arrangements are established practice at smaller regulated firms and map naturally onto pre-launch crypto businesses, with conversion to full-time as volume arrives.
Related guides and services
- Cryptoasset Compliance Recruitment
- Cryptoasset FSMA Authorisation: The Complete Guide
- The Crypto MLRO: Regulation 21 and FCA Expectations
- MLRO Recruitment (SMF17)
- SMCR Compliance Recruitment
- Compliance Recruitment
- Fractional MLRO
External resources
- FCA — Senior Managers and Certification Regime
- FCA — Registration under the MLRs ahead of the new FSMA regime
- FCA Register
- Financial Services and Markets Act 2023
- International Compliance Association
- ACAMS
About the Author
Adrian Lawrence FCA is the founder of FD Capital Recruitment and a Fellow of the Institute of Chartered Accountants in England and Wales (ICAEW member record). Adrian holds a BSc from Queen Mary College, University of London and an ICAEW practising certificate in his own name.
FD Capital recruits SMF16 and SMF17 holders — permanent, interim and fractional — for FCA-regulated and authorisation-stage firms across payments, e-money, fintech, lending and digital assets. Adrian personally screens candidates for SMF appointments given the personal accountability dimensions involved, and all claimed approvals are verified against the FCA Register before shortlisting. FD Capital Recruitment Ltd (Companies House no. 13329383) is associated with Adrian’s ICAEW registered practice.
Planning your SMF16/17 hires against the gateway? Call FD Capital on 020 3287 9501 or email recruitment@fdcapital.co.uk. Compliance and MLRO shortlists typically within 5–10 working days.




